The present invention relates to a method and appertaining system for assessing the security risk of a computer network that measures the deviation in network's architecture, access policies, and device configurations based on a set of “Best Practice Templates” (BPTs) that collectively constitute “good security” in the network infrastructure.
In addition to the protection of other important network devices, firewalls are a mainstay of corporate network security. These network devices enforce a security policy on the communication traffic entering or leaving one or more defined network zones. A well-designed security policy will provide access to internal networks for authorized sources while preventing unauthorized access to sensitive data assets. Ensuring that a firewall properly implements the desired security policy is essential to maintaining the security of the protected network zones.
Articulating a firewall policy as part of a firewall assessment, audit or hardening exercise turns out to be difficult, and calculating it may require deep analysis. Simple inspection of the firewall rules is not sufficient to determine whether or not the security policy implemented by the firewall complies with the requirements in a checklist. The mere presence in the ruleset of a rule denying an insecure network service like Net BIOS does not ensure that the service is truly blocked from reaching a critical server.